X-Ways Forensics 18.0 Log Out | Topics | Search
Moderators | Edit Profile

X-Ways User Forum » Public Announcements » X-Ways Forensics 18.0 « Previous Next »

Author Message
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Oct 14, 2014 - 19:00:   

A preview version of the dongle-based edition of X-Ways Forensics 18.0 is now available. The download link can be retrieved as always by querying one's license status.

What's new?

* Improved stability and quality of e-mail extraction from Exchange databases.

* Preview of Skype chat sync files (named "chatsync" in the Type column). Shows the complete chat and the IP addresses of the participants. Events are also extracted.

* Internal memory allocation tracking can now be enabled in Options | Security for debugging purposes.

* Some other internal improvements.

* Some of the fixes of v17.9 SR-1.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Oct 20, 2014 - 8:09:   

Preview 2:

* The ".." item at the top of the directory browser that appears when navigating within a volume from one directory to another is now optional. If displayed, it is now frozen at the top of the directory browser and does not scroll along with all the other items. And it now shows all the information on the directory that it represents (the one that you would navigate to if you double-click it), just like with all the other items in the directory browser. And a "." item is now also displayed optionally, representing the currently explored directory. Useful if for example you wish to see certain metadata (e.g. timestamps) of the parent object at the same time as metadata of its child objects. And if the . or .. item is a file and you select
it, then you can now see that particular file in File, Preview or Details mode. And it is represented in Gallery mode.

* When clicking any component of the current path in the caption line of the directory browser, this will now navigate directly to that directory (or file with child object) whose name you clicked.

* The "Keep track of viewed files" option has been moved to Options | Viewer Programs.

* Support for e-mail extraction from MBOX e-mail archives larger than 4 GB.

* Some fixes of errors in Preview 1.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Oct 21, 2014 - 9:34:   

Preview 3:

* Some fixes of errors in Preview 2.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Oct 30, 2014 - 19:29:   

Preview 4:

* File header signature searches, block-wise hash matching, FILE record searches, searches for lost partitions, and physical simultaneous searches are now sparse-aware operations when dealing with compressed and sparse .e01 evidence files. That means that areas that on the original hard disk were never written and zeroed out or areas that had been wiped on the original hard disk or consciously omitted areas in cleansed images are skipped and almost require no time, because their data neither has to be read nor decompressed nor further processed (searched/hashed matched against the block hash database).

Sparse-awareness is active guaranteed for .e01 evidence files that were created by X-Ways Forensics and X-Ways Imager 16.1 and later (also possibly for images created by 3rd party software, depending on the settings and the internal layout). Operations are not sparse-aware on images of Windows dynamic disks, images of LVM2 disks, and on reconstructed RAIDs based on .e01 evidence files.

* Logical searches in files stored in an NTFS file system are also sparse-aware at the .e01 evidence file level, and generally logical searches in virtual "Free space" files.

* Logical searches in NTFS, Ext*, XFS and UFS file systems are now sparse-aware at the file system level. That means no time is wasted on large sparse areas within sparse files, they are not processed, regardless of whether the evidence object is an .e01 evidence file, raw image, RAID, or actual disk.

* Support for newer Photoshop thumbnail cache format.

* A new "Special interest" entry allows to either carve Google search URLs with "ei" parameters as files or (better) output events with the contained timestamps (if "Provide by-catch timestamps from various sources as events" is checked).

* Better avoids false positives when carving files with support NTFS compression enabled.

* Improved Windows account administration section in the registry report.

* Some minor improvements.

* Some fixes of errors in Preview 3.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Nov 4, 2014 - 7:35:   

Preview 5:

* Supports a new PST/OST data storage method as used in Outlook 2013.

* Some improvements for file type verification.

* Several minor improvements.

* Same fix level as v17.9 SR-2.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Nov 4, 2014 - 20:42:   

Preview 6:

* Same fix level as v17.9 SR-3.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Nov 11, 2014 - 17:59:   

Preview 7:

* Ability to extract alternative names and timestamps from Linux PNG thumbnails as known from Ubuntu and Kubuntu distributions, desktop manager MATE and GNOME ThumbnailFactory during metadata extraction. The name of the original file is shown in square brackets in the Name column and the recorded timestamp of the original file is shown as a "Content created" timestamp. The complete path of the original file can be seen in the Metadata column.

* Fixed inability to evaluate equations in templates depending on notation settings.

* Containers of the old format (from more than 3 years ago) can no longer be created or further filled, but can still be used in cases as evidence objects.

* More thorough extraction of embedded files in PE executables (not done by default, only if addressed via the file mask).

* Separate "Append type as extension if newly identified" checkbox for "Use associated program for viewing". Allows to more easily get Windows to run the right program for misnamed files, files without extension etc.

* Several minor improvements.

* Same fix level as v17.9 SR-4.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Nov 17, 2014 - 20:45:   

Preview 8:

* Ability to import hash sets in the current JSON/ODATA format layout as used by Project Vic and found in the Hubstream Inbox.

* Option to show results of the file header signature search as child objects of existing files, not in the directory for carved files, if they were found within these other files.

* Ability to toggle column visibility purely with the mouse, by clicking the column labels in Options | Directory Browser.

* Several minor improvements.

* Same fix level as v17.9 SR-5.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Nov 19, 2014 - 13:07:   

Preview 9:

* Option to create automatic report table associations for files that have been added to an evidence file container.

* When creating two copies of an image at the same time, ability to automatically verify both of them.

* Same fix level as v17.9 SR-6.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Thursday, Nov 20, 2014 - 20:04:   

Preview 10:

* Same fix level as v17.9 SR-7.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Nov 25, 2014 - 20:29:   

Beta 1:

* Option to maintain two separate hash databases at the same time, based on the same hash type or different hash types. Useful for example if you receive hash sets from different sources based on different hash types (e.g. some with MD5 and some with SHA-1 values) and wish to use them simultaneously, or if you have one large hash database for general use that you share with colleagues and wish to quickly create temporary case-specific hash sets yourself without altering the main hash database.

When creating a hash set yourself, you can choose to which hash database it should be added. That can be file hash database #1 or file hash database #2 or the block hash database.

When managing the hash databases, you can switch from file hash database #1 to #2 and back, and from #1 also to the block hash database as in previous versions.

The ability to import an entire folder of hash sets has been dropped. You can still import multiple selected hash sets in the same directory at once.

* Ability to compute hash values of two different hash types at the same time when refining the volume snapshot, for general purposes or to match them against two hash databases with different hash types. If matching is selected, all hash values will be matched against any of the two hash databases whose hash type fits. That means even if the primary hash type in the volume snapshot is MD5 and the secondary is SHA-1, and hash database #1 is based on SHA-1 and #2 based on MD5, X-Ways Forensics will match the hash values accordingly. The hash types in the volume snapshot and in the hash databases do not have to be in the same order.

* Which hash value is displayed in the Hash column can be changed in the Directory Browser Options dialog. Either the primary hash value or the secondary hash value or both at the same time (if the box is half checked). The Hash column filter is applied to the hash type(s) that is/are currently displayed. Which hash type(s) is/are displayed in the Hash column can be seen in the column header.

* The Hash Set column shows known matches for both hash databases simultaneously. The filter can be used to filter for selected hash sets of one of the databases at a time. The database to choose hash sets from can be selected in the filter dialog.

* The Hash Category column shows only one category. If you assign the hash value of a certain file in one hash database to one category and the hash value of the same file in the other hash database to the other category, you will be warned once during matching and given exact information about which hash value in which hash sets in which hash databases are conflicting. The categorization as "notable" will prevail when in doubt.

* Same fix level as v17.9 SR-8.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Nov 26, 2014 - 20:56:   

Beta 1b:

* Ability to decide where the second hash database should be stored. Useful if for example the primary hash database is shared with other users on a network drive and the user wishes to create or import new hash sets, either for temporary use only or while the primary hash database is locked by other users, to a locally stored second database.

* Fixed some errors in Beta 1.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Dec 5, 2014 - 11:14:   

Beta 2:

* Additional functionality can now be invoked from within X-Ways Forensics, the PhotoDNA algorithm, until further notice. For licensing reasons it is made available separately, and provided by X-Ways itself only to law enforcement agencies. (If your e-mail address has not been automatically registered yet, you may go to http://www.x-ways.net/law_enforcement.html.) It may be used to prevent the spread of child sexual abuse content and for investigations targeted to stop its distribution and possession.

For details about PhotoDNA please see http://www.microsoft.com/global/en-us/news/publishingimages/ImageGallery/Images/Infographics/PhotoDNA/flowchart_photodna_Web.jpg and http://news.microsoft.com/presskits/photodna/.

If the PhotoDNA functionality is present, a 4th (!) database, with PhotoDNA hash values of photos can be created and maintained within X-Ways Forensics, and photos may be matched against that hash database in X-Ways Forensics and X-Ways Investigator to identify known incriminating content. Because of the robustness of the hash algorithm and its specialization in photos, it is usually possible to recognize photos even if they have been stored in a different file format, experienced lossy compression repeatedly (e.g. JPEG), resized, partially blurred/pixelated, color-adjusted or contrast-adjusted etc. Unlike hash values computed by conventional general purpose algorithms, PhotoDNA hashes are resistant to various such image alterations.

Law enforcement agencies may want to create and share their own collections of such hash values, or import an extensive existing collection from Project Vic (www.projectvic.org). You can also import the PhotoDNA hash databases of other X-Ways users, you may delete hash categories that you don't need any more, and you may merge or rename categories in your database. When importing someone else's hash database, their categories of the same name will be merged with yours. X-Ways Forensics will attempt to deduplicate hash values of similar photos when adding hash values to the database.

Hash values can be added to the database for pictures in the volume snapshot of an evidence object in the same way as conventional hash sets are added to a conventional hash database. The database is one of the now 4 databases that can be managed with the Tools | Hash Database command. The PhotoDNA hash database is stored in a directory next to hash database #1.

Matching is part of "picture analysis and processing" in Specialist | Refine Volume Snapshot. If you select more strict matching (allow less variation in an image), the process can be noticeably faster in huge databases. Any resulting matches can be seen and filtered in the combined SC%/PDNA column. Photos that are recognized via PhotoDNA already are not additionally checked for the amount of skin tones.

* When printing long paths on the cover page or at the top of the first page, such paths are now broken into multiple lines even if they do not contain any spaces.

* Skin tone computation slightly accelerated for high resolution photos.

* Some minor improvements.

* Same fix level as v17.9 SR-9.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Dec 8, 2014 - 6:23:   

Beta 3:

* Option to recognize known photos via PhotoDNA even if they are mirrored (flipped horizontally).

* Ability to view loaded modules above the 4 GB barrier in 64-bit processes with Tools | Open Memory and read and edit memory in such address ranges. Unicode support for process and module names and paths in the memory editor. Page boundaries are represented by horizontal lines. Boundaries that represent gaps between contiguous allocated regions are represented by darker horizontal lines. The Info Pane now shows more information such as the maximum address represented and the number of allocation gaps (=number of contiguous allocated page ranges-1) as well as protection status and type of the currently displayed page. Several other minor improvements for the memory editor. Please note that you need the 64-bit edition to properly deal with 64-bit processes.

* New X-Tension function XWF_GetRasterImage. Provides a standardized true-color raster image representation for any picture file type that is supported internally in X-Ways Forensics (e.g. JPEG, GIF, PNG, ...), with 24 bits per pixel, with some powerful options.

* File type verification revised. File carving for Outlook for Mac 2011 improved.

* Some minor improvements.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Wednesday, Dec 10, 2014 - 18:45:   

Beta 4:

* Option to specify a user-defined timeout in milliseconds for loading pictures with the internal graphics viewing library, in Options | Viewer Programs.

* Support for a variant of FAT12 and FAT16 file systems with unusual directory entries.

* Modified unexpected behavior of the option "Full path sorting for parent objects".

* When filling evidence file containers of the old format with v17.8 and v17.9 (a usually hidden option), parent directories were included more than once. That was fixed.

This beta version is also available to BYOD users.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Saturday, Dec 13, 2014 - 9:25:   

v18.0 has just been released. Program help and user manual were updated. Some temporary discounts were just announced at https://twitter.com/XWaysSoftware.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Dec 15, 2014 - 10:40:   

SR-1:

* An exception error was fixed that could occur when using X-Ways Forensics without a second file hash database.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Dec 16, 2014 - 17:06:   

SR-2:

* Support for some additional TIFF subtypes for PhotoDNA matching.

* Certain unsupported TIFF subtypes are now dealt with more properly in that PhotoDNA matching and potentially also skin color detection are not attempted any more if futile, and a question mark is output instead.

* Fix for certain variants of FAT12.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Dec 22, 2014 - 7:32:   

SR-3:

* Support for relative paths when using the PhotoDNA hash database.

* Extraction of EXIF metadata from .wav files.

* Internal timestamps from JPEG files written by recent Canon camera models are now retrieved with original timezone information and thus can be converted to the display time zone.

* Fixed a possible error that could occur when sorting by the SC%/PhotoDNA column.

* Fixed an instability issue that could occur with corrupt Google Chrome caches.

* Fixed an error that could occur when process .ieurl files extracted from Google Chrome caches.

* Fixed a crash that could occur with Windows Vista thumbcaches.

* Some minor improvements and fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jan 2, 2015 - 8:42:   

SR-4:

* Mass metadata extraction no longer slowed down by the option "Coordinate processing by simultaneous users more carefully".

* Fixed an exception error that could occur when using the registry viewer.

* Automatic report table associations with duplicates did not work any more. That was fixed.

* Some minor improvements and fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Jan 4, 2015 - 21:16:   

SR-5:

* Fixed an error that could cause crashes with OLE2 files in v18.0 SR-4.

* v18.0 did not always match hash values against the hash database in additional volume snapshot refinement runs. That was fixed.

* Fixed an error in the X-Tension API function XWF_GetRasterImage.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jan 16, 2015 - 6:28:   

SR-6:

* Prevents certain erroneous events with timestamps in the year 1829.

* Fixed inability of v18.0 to extract senders and recipients from all e-mail headers.

* Fixed inadequate handling of bad sectors in recent versions.

* Fixed an exception error that could occur in the 64-bit edition when processing Google Chrome cache files.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Friday, Jan 23, 2015 - 15:58:   

SR-7:

* Fixed an unjustified partial read error in v18.0.

* Fixed potential error about lost comments imported from evidence file containers.

* Fixed a crash that could occur when trying to display very long search hits (e.g. produced with a GREP expression like .*).

* Some minor improvements and fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jan 27, 2015 - 20:18:   

SR-8:

* Fixed an exception error that could occur when switching to the search hit list in the Case Root window while sorting in the directory browser was still ongoing.

* Fixed a potential crash with corrupt OLE2 files.

* Fixed dongle errors that a few users experienced when running multiple instances simultaneously.

* Some minor improvements and fixes.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Monday, Feb 9, 2015 - 6:32:   

SR-9:

* Fixed an exception error that could occur when automatically verifying images after creation with certain settings.

* Prevents alteration of report table names in certain situations when synchronizing shared analysis work.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Sunday, Feb 22, 2015 - 19:43:   

SR-10:

* Some of the fixes introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v18.0.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Apr 28, 2015 - 19:11:   

SR-11:

* Some of the fixes introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v18.0.
Stefan Fleischmann
Username: admin

Registered: 1-2001
Posted on Tuesday, Jun 16, 2015 - 17:36:   

SR-12:

* Some of the fixes introduced in later versions. Available on request and highly recommended to users whose update maintenance covered no more than v18.0. This is probably the last service release for v18.0.

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have a profile.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.